executing a script when logging via ssh

rubby1 · 10-04-2005, 07:49 AM

hello,

i'm new here =)

ok, i woold like execute a script (sh or php) when a user log in with ssh (the goal is to send an email.

this script wolld be executed just after the validation of login / password.
i searched inside the ssfd conf, but nothing looks like that.

what's the way please ?

regards
and thx in advance
Rubby

unSpawn · 10-04-2005, 09:20 AM

this script wolld be executed just after the validation of login / password.
If your distro uses PAM (got dir and files in /etc/pam.d) you prolly can use something like the pam_script module.

rubby1 · 10-04-2005, 09:44 AM

yep there is pam, and there is also a config for sshd, so what can i do ? :!

here is the content :
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_limits.so
session optional /lib/security/pam_console.so

do you think i can add this line ???
session required /home/myscript.sh (or .php) service=system-auth

???

rubby

clb · 10-04-2005, 03:59 PM

If they are using the BASH shell, add the following line to their /home/user/.bash_profile file:

/path/to/executable/script.php

or

sh /path/to/script

Both shell scripts and php scripts can be made executable - and PHP could be easier to send mail from. If you are planning to do it for all users, you will have to edit each users .bash_profile aswell as the/etc/skel/.bash_profile

/etc/skel is a directory that is used to create all new user dirs from - if its in the /etc/skel directory then it will be in the new users directory. This applies to the contents of files in /etc/skell

rubby1 · 10-04-2005, 07:11 PM

hi,

ok thx for your answer =)

do you think i can do the same with pam ?

cr

unSpawn · 10-05-2005, 02:31 PM

do you think i can do the same with pam ?
Should go something like this.
1. Install pam_script.so if you haven't got it in /lib/security/
2. Add this line in /etc/pam.d/sshd under the other "session" statements:

Code:

session  required pam_script.so onsessionopen="/etc/security/ssh_mail.sh"

3. Now edit your script "/etc/security/ssh_mail.sh" and make executable:

Code:

#!/bin/sh
# 1st arg by pam_script: username, 2nd arg: service
_user="$1"; _svc="$2"
getent passwd "${_user}" 2>&1>/dev/null; case "$?" in 0) echo -en "Hello ${_user},\n\nWelcome to ${HOSTNAME}\
\nHave phun\!\nThe owner\n"|mail -s "Welcome ${_user}" "${_user}@${HOSTNAME};; *) logger "pam_script [FATAL]\
 running script for ${_user}@${_svc}";; esac; exit 0

* Test...

rubby1 · 10-05-2005, 05:29 PM

hehe ok thx !

if somethink is wrong, can it crash sshd ???? (it is a distant server =) so if no more sshd, no more server =)

CR

unSpawn · 10-06-2005, 09:51 AM

I tested pam_script (v0.4 I think) and ...

OK, using mailx package is nice, but you really want to forge either a no-return@ address or a general address like "info@". To do this I pipe the message (Subject: and body) tru sendmail using -F and -f. Side effect from this is you will need a privileged (non-root account) user to run the script as (runas=) , else you'll have an X-Auth warning header saying the luser faked the From: address. However I set the permissions on the runnable script and whatever user I use, it ain't working. Besides that logging out of a ssh session seems to halt at "logout", and the /etc/login.defs fix (CLOSE_SESSION) doesn't work as advertised either.

Long story short, pam_script doesn't work as I want it to work, so forget it.

rubby1 · 10-06-2005, 03:12 PM

ok =)